IBM GEEIEN software 
Lab 1Profile Web Application 


This lab is an introduction to reconnaissance and profiling which is the first step a malicious user takes in 
order to gather information about their attack target. In the reconnaissance phase, the malicious user 
tries to determine as much information as possible about the system they want to compromise; this 
usually involves both manual and automated techniques. 

In this lab we will use manual techniques to help us identify the web application and will see what 
information can be leaked by the web application. We will review the application pages, http headers, 
using the tamper data plug-in for Firefox, and will enter data which cause error messages. 


When we are done, we will have profiled the target application 


In this lab you will play the role of a Malicious User. 


Lab Overview 
e 1.1: Profile Website 


1.1 Profile Website 
__1. Open Website 


__a. Open a the Firefox browser using the shortcut on the desktop 


Mozilla Firefox 














__b. Open the AltoroMutual Site by typing in the site http://demo.testfire.net 


__c. Click on the Sign In link 


qn In || Contact Us | Feedback 
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__2. Look at the Sign In page to see what you can tell about this application? 


__a. Is ita J2EE application or .Net? Hint: look at address 


Itis a .NET application. This is because the address ends in 
.ASPX. 


__b. What form of authentication does it use? Form based? HTTP? 


It is using form based authentication. This is because with HTTP 

and NTLM authentication dialogue boxes would pop-up 
requesting credentials. Since there are no pop up boxes we know 
that http://demo.testfire.net uses form based authentication 


__c. From the menu, choose Tools -> Tamper Data 


e Tamper Data is a firefox plugin which allows the user to view 
and modify HTTP/HTTPS headers and post parameters. 
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Error Console 
Page Info 


Clear Private Data... Ctrl+Shift+Delete 





__e. Return to Firefox, enter jsmith for the username and demo1234 for the password and click 
the Login button 


Online Banking Login 


Username: lismnith 


Password: [rece te tend 
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__f. If you get a password confirm message box select Never for this Site button 


(2) Do you want Firefox to remember this password? 


“Remember | Never for This Site | | Not Now 





__g. Switch to the Tamper Data application and select the first request 


te ee a Te 


Stet Tasper Seo Tencer Chaar 


L264 6 léoe TH me tented http: emo Jhessfine met liariginesir.aso | CVAD) DeUPENT... 
Leela Ome uteri Pape fechas eect: Feet LOAD Oe MAL 





demo. beste ret : 
cy 50 (ioe Li; atte AT Sts rey vt liies Tue, 24 Jud SO? bP oa 2 aT 
beak relapse rn epoke ation ind: are beck Tia, .. Perce 1S 60 

eet ere i % ASP RET 

gop, deflate 

POSES 2-1 att og. 7, *)q=0.7 

a0 

heSpe aie 

hint: (Mike eepstine rapt Phar lear eer 

arSessonid= (Toes: A MET Seenenid=tazp... 
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Looking at the HTTP headers in the http response (bottom right hand window) Can you see 
what Web Server we are using? What Web Application Server we are using? What version 
of the Application Server we are using? 


Server X-Powered-by and X-aspnet-version ASP.NET , 
WebApplication Server — HS version 2.0 


Close Tamper Data window 


__3. Getting Information from Error messages: 


b. 


Lab 1 


Maximize Firefox 


Select the Sign off link 


Sign Off || Contact Us | Feedback 


Enter the link for page http://demo.testfire.net/bank/login.aspx 





) Altoro Mutuak Online Banking Login - Mozilla Firefox 


File Edt view History Bookmarks Tools Help 
a 7 7 ce hy L) https idem. bestfire inet/bank login .2spe 
































For the username type in ‘ (Single quote) and the anything for the password and select 
Login 


Online Banking Login 


Username: ' 
Password: [en] 
Login | 
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__e. Whatcan you learn from the error page? 


An Error Has Occurred 


Summary: 
Linch quinketion muh belo Be chur her <treney ~. 
Error Messacee: 


Crem. Bate. eth, Hebets belo den Pee eee Do CRareethey pire". Lor 2 Druid fpf Pee “me, 

Stern. Bata. Clete, CH HS a Pe, Pee Pe COL HE edi Rel a Sater. bate. Oleh. Oe aR le, ae Ee at 

Seven. Baa. CHG, See eS eran. Bit A dla een el oer are aoe ibe aryvege, Shri reebrcedl |i at 

frre. Cate. Oleh. Heb Command. -rantee aden Commandiehevicn behaetca) wt 

Spiten. Gate. Chet. He beeCerinianed. Septem. Fate. De Conniand. [eater ice Conmriandiiahnaice behigetca) at 

Speen. Date Cone OGD ated epee, Fill inten boteiet dae. DeteTeblel) dutatebler, Inti? rtartPecced, Inidt mosPecsede, Shing on Table, [obo coreg 
cammand, Commandiatiavice behawloel wt Sychem. Oates. Common. btOwtatdapter.iliutstet dateiet, Intd2 curtheecod, Inti masAecorde, Sharm oT atte, 
PDC cereniand command, CoonmandEehesice behavice) at Sycham. Cwbe. Coonmon. DEO wteadapter, Pll(Gwtetet detetat, Sting ocTaetle) wt 

ARooo. Authentication Vid atelier Sting whens, Shing pa ord) in ciate Source ARcooMutual website bank ilogin. aops.coilice @0 ot 

Record Authentication Pag_Loed( Otc cendes, Deertange af i cl Detel Source AR Mutual eabaite bank Wegin. aips.ciling 22 wt 





i. Is the site using a database? 


a 
Yes itis. We know this because we see a SQL error. 


ii. Can you tell which one? 


Can’t tell from error message but an experienced hacker would 
know it’s MS SQL Server 


__ ili, Can you see which directory on the host the web application files are stored in? 


Yes. If you invoke in the error message by typing * and anything 

for the password and selecting Login, there’s a stack trace 
displayed. Scroll towards the bottom and you’ll see the directory 
path c:\Data\Source\AltoroMutual\website\bank\ 
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__4. The following is a list of some of the things an attacker might try to find out about our site in order 


to profile the application environment and start to create a specific, targeted attack plan 


Review the answers: 


Platform 
Technologies 
Web servers 
Application servers 
Web server authentication 
Database usage 
Database type 
Third-party components 


Application 
Authentication 
Authorization 
Web based administration 
User contributed content 
Client side validation 
Password creation 
Session state 
Error handling 





Answer 


Platform 


NET, JavaScript 
IS 5.0+ 
ASP.NET v 2.x 


Anonymous web server 
authentication 


Database in use 
MS SQL? Access? 


Application 


Form based authentication 
User based authorization 
Yes = /Admin 


No social contribution 
areas 


No password reset 
Cookies (several) 


Custom error pages 


__5. Close Firefox 
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